Crypto Variants are becoming more and more common, I’ve had the fun of going through one myself and on a regular basis see reports of it on one of my favorite websites, Reddit.
So, I have decided to take the time to write a little post on how to minimize the impact of a cryptolocker variant on your network. Not how to stop one, how to prevent it from breaking too many things. Trying to stop a crypto is a long and hard process that involves user education (never fun!)
Points I’ll cover
- Vectors of attack
- Good End Device protection
- Good file server protection
- Backup and restore methods
So, without any further ado:
Vectors for attack
Crypto variants can come in through any device that can transfer data. USB sticks, E-mails, Web browsing and more. The main two culprits are dodgy e-mails and web browsing. E-mails usually come in with an attachment called “Invoice” or something similar. These usually are full of macro’s that initiate malware on the end device, the malware then tends to be a trojan that gets the Crypto and starts encrypting all that precious data.
Good End device Protection
This is one of the biggest ways of reducing impact, make sure you have a good centrally managed antivirus installed on every PC on your domain. We use SCCM’s Endpoint protection on our network and it works a treat. We have e-mail alerts set up to come into our ticket queue so we see it very, very quickly. Make sure you have real time scanning enabled and scheduled scans at least once a day for a quick scan and once a week for a full scan.
If your end users have no need to use USB devices for data transfer it may be a worthwhile idea to restrict the devices your users can plug into the ports, Just keep it to Keyboards and Mice for now, it’ll be impressive to see a Crypto come in via one of those. A good article is available here on how to do so.
Another popular method of blocking the malware from even starting would be to use a program called applocker in windows. You can configure applocker via group policy and it is a life saver. I’m starting to implement it into my company and it’s working really nicely under testing. It basically stops any executable from being ran on the system unless allowed in the applocker policy. A good guide for implementing app locker is here
One of the biggest solutions is to set up a robust spam filter for your e-mail service. We use mimecast and Microsoft exchange 2013. Since implementing mimecast we have had hardly any e-mails slip through the net containing dodgy attachments. We also scan outbound as to make sure that an infected device can’t spread to anyone on their address list. Trust me, it happens! We also use MSME local to the exchange to capture any internal e-mails, just in case.
A crypto almost always comes from an end user device, they’re the biggest weakness on the network, if you can prevent one spreading when a device gets hit – you’re in a pretty good position. A little user education doesn’t hurt either, maybe a mass e-mail round with a few pointers on it. Just screenshots of what to watch out for. I’ve found it quite useful over time.
Good File Server protection
This is the big one, all crypto locker variants I’ve seen go direct for file shares, especially if they contain the words “Finance” or “Money”. On a windows file server your best friend is File Screening and the File Server resource manager. If you don’t use these, I suggest you look into them and get used to them.
Make sure your file server permissions follow the principle of least access, the more access that infected machine has, the more damage it can do. Overhaul your file server permissions if need be. I’m currently doing mine at the moment. Put users into a role based on their position in the company. That role has an AD group, the AD group is then made a member of a domain local group. You then assign the permissions to the local group. It makes it easier for file permissions management and you will have a much clearer idea of what could be impacted when the end device gets infected.
Infections tend to open hundreds and hundreds of files at once to encrypt them. I use file server resource manager tied with some Powershell to notify me when a user exceeds 25 sessions of files open on the share. No machine should ever have more than 25 files open on this network, half the PC’s wouldn’t be able to cope with them all open!
The other useful one is to enable file screening. Block all .exe files and executable files from within here, only allow the directory they are meant to be stored in (like your software dump). it stops users saving random exe files to the file share.
Also get a good AV on your file server, if it is a VM I recommend McAfee move. if it’s a physical server there is a McAfee AV client.
Backup and Restore Methods
Backups, Backups, Backups!
Backups are critical, if you get hit – you’re gonna be relying on these to fumble your way out of the mess your end user got you in. I have shadow copies enabled on my data volume which certainly helps, but chances are – if it’s a good crypto it will take your shadow copies with it. At the min our file server is a physical server so we use a backupexec server (I know.. it’s bad) connected into a quantum tape library. It does incremental backups every night and a full over the weekend. A full file server restore would take about a day at the current setup.
If you have a virtual file server, I suggest you use veeam to back it up as often as is reasonably practicable. The more often you have a backup, the less data you lose. Simple.
When restoring the data you have 2 options,
1. restore the data to the original server
2. restore the data to a new server.
Depending on how bad the hit was, you may want to go for option 2. You can’t risk being infected twice. As for the end user machine, make sure you nuke that into orbit. anything on that laptop should be considered infected, crack out DBAN and start over.